LFI / RFI (Local / Remote File Inclusion)

LFI / RFI are the most common vulnerabilities in unsecure web applications. Essentially a website (usually PHP, but doesn't have to be) will allow user input without any sort of (or poor) input sanitization. This mean that a rogue user can use the vulnerability to read local or remote files that can provide information and/or even provide a way to do remote code execution (RCE).

Basic examples:

  1. index.php?page=/etc/passwd

  2. index.php?page=../../../home/falcon/.ssh/id_rsa

PreviousXXE (XML External Entity)NextCSRF (Cross-Site Request Forgery)

Last updated